Debian Bug report logs - #513531
CVE-2008-4770: Arbitrary code execution via crafted RFB protocol data

version graph

Package: xvnc4viewer; Maintainer for xvnc4viewer is Ola Lundqvist <opal@debian.org>; Source for xvnc4viewer is src:vnc4.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Thu, 29 Jan 2009 22:33:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions vnc4/4.1.1+X4.3.0-31, vnc4/4.1.1+X4.3.0-21+etch1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Ola Lundqvist <opal@debian.org>:
Bug#513531; Package xvnc4viewer. (Thu, 29 Jan 2009 22:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Ola Lundqvist <opal@debian.org>. (Thu, 29 Jan 2009 22:33:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-4770: Arbitrary code execution via crafted RFB protocol data
Date: Thu, 29 Jan 2009 17:30:24 -0500
Package: xvnc4viewer
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vnc4.

CVE-2008-4770[0]:
| The CMsgReader::readRect function in the VNC Viewer component in
| RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0
| through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote
| VNC servers to execute arbitrary code via crafted RFB protocol data,
| related to "encoding type."

The upstream patch[1] can be found in the redhat bugreport[2].

For lenny, this could be fixed via migration from unstable. Please CC
secure-testing-team@lists.alioth.debian.org when you email the release
team and ask for the unblock, so we are kept in the loop.

I guess the issue is also severe enough to warrant a DSA update. I
haven't tried to exploit it yet though.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4770
    http://security-tracker.debian.net/tracker/CVE-2008-4770
[1] https://bugzilla.redhat.com/attachment.cgi?id=329323
[2] https://bugzilla.redhat.com/show_bug.cgi?id=480590




Information forwarded to debian-bugs-dist@lists.debian.org, Ola Lundqvist <opal@debian.org>:
Bug#513531; Package xvnc4viewer. (Fri, 30 Jan 2009 07:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to opal@debian.org:
Extra info received and forwarded to list. Copy sent to Ola Lundqvist <opal@debian.org>. (Fri, 30 Jan 2009 07:18:02 GMT) Full text and rfc822 format available.

Message #10 received at 513531@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 513531@bugs.debian.org
Subject: Re: Bug#513531: CVE-2008-4770: Arbitrary code execution via crafted RFB protocol data
Date: Fri, 30 Jan 2009 08:17:19 +0100
Hi Steffen

I'll upload a new package when built.
Can the package be built using etch as that is what I have on mu main
Debian development machine? I know that I got restrictions on some other
package lately.

Best regards,

// Ola

On Thu, Jan 29, 2009 at 05:30:24PM -0500, Steffen Joeris wrote:
> Package: xvnc4viewer
> Severity: grave
> Tags: security, patch
> Justification: user security hole
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for vnc4.
> 
> CVE-2008-4770[0]:
> | The CMsgReader::readRect function in the VNC Viewer component in
> | RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0
> | through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote
> | VNC servers to execute arbitrary code via crafted RFB protocol data,
> | related to "encoding type."
> 
> The upstream patch[1] can be found in the redhat bugreport[2].
> 
> For lenny, this could be fixed via migration from unstable. Please CC
> secure-testing-team@lists.alioth.debian.org when you email the release
> team and ask for the unblock, so we are kept in the loop.
> 
> I guess the issue is also severe enough to warrant a DSA update. I
> haven't tried to exploit it yet though.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> Cheers
> Steffen
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4770
>     http://security-tracker.debian.net/tracker/CVE-2008-4770
> [1] https://bugzilla.redhat.com/attachment.cgi?id=329323
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=480590
> 
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  ola@inguza.com                      654 65 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------




Reply sent to Ola Lundqvist <opal@debian.org>:
You have taken responsibility. (Fri, 30 Jan 2009 23:27:04 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Fri, 30 Jan 2009 23:27:05 GMT) Full text and rfc822 format available.

Message #15 received at 513531-close@bugs.debian.org (full text, mbox):

From: Ola Lundqvist <opal@debian.org>
To: 513531-close@bugs.debian.org
Subject: Bug#513531: fixed in vnc4 4.1.1+X4.3.0-31
Date: Fri, 30 Jan 2009 23:02:26 +0000
Source: vnc4
Source-Version: 4.1.1+X4.3.0-31

We believe that the bug you reported is fixed in the latest version of
vnc4, which is due to be installed in the Debian FTP archive:

vnc4_4.1.1+X4.3.0-31.diff.gz
  to pool/main/v/vnc4/vnc4_4.1.1+X4.3.0-31.diff.gz
vnc4_4.1.1+X4.3.0-31.dsc
  to pool/main/v/vnc4/vnc4_4.1.1+X4.3.0-31.dsc
vnc4server_4.1.1+X4.3.0-31_i386.deb
  to pool/main/v/vnc4/vnc4server_4.1.1+X4.3.0-31_i386.deb
xvnc4viewer_4.1.1+X4.3.0-31_i386.deb
  to pool/main/v/vnc4/xvnc4viewer_4.1.1+X4.3.0-31_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513531@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated vnc4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 30 Jan 2009 19:27:21 +0100
Source: vnc4
Binary: vnc4server xvnc4viewer
Architecture: source i386
Version: 4.1.1+X4.3.0-31
Distribution: unstable
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 vnc4server - Virtual network computing server software
 xvnc4viewer - Virtual network computing client software for X
Closes: 513531
Changes: 
 vnc4 (4.1.1+X4.3.0-31) unstable; urgency=high
 .
   * Correction for CVE-2008-4770. Arbitrary code execution via crafted
     RFB protocol data. Closes: #513531.
Files: 
 59be0980149d0ef90d88c3845db25ebf 663 x11 optional vnc4_4.1.1+X4.3.0-31.dsc
 5ec0ca816b60a9cb91121602762ad666 51494 x11 optional vnc4_4.1.1+X4.3.0-31.diff.gz
 d7f6fa25209d15105de9e70fc632a6a6 1894578 x11 optional vnc4server_4.1.1+X4.3.0-31_i386.deb
 14f9b1751971870fe77d539d9701b847 139576 net optional xvnc4viewer_4.1.1+X4.3.0-31_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJg4MSGKGxzw/lPdkRAj/GAJ9WvqcfEvLnXMRBr2VWFcPoqYmZYACdFRqp
AEt1VRNDhbUnCNGn5am3lSM=
=R1D9
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Sun, 15 Mar 2009 21:15:04 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sun, 15 Mar 2009 21:15:04 GMT) Full text and rfc822 format available.

Message #20 received at 513531-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 513531-close@bugs.debian.org
Subject: Bug#513531: fixed in vnc4 4.1.1+X4.3.0-21+etch1
Date: Sun, 15 Mar 2009 19:54:32 +0000
Source: vnc4
Source-Version: 4.1.1+X4.3.0-21+etch1

We believe that the bug you reported is fixed in the latest version of
vnc4, which is due to be installed in the Debian FTP archive:

vnc4-common_4.1.1+X4.3.0-21+etch1_i386.deb
  to pool/main/v/vnc4/vnc4-common_4.1.1+X4.3.0-21+etch1_i386.deb
vnc4_4.1.1+X4.3.0-21+etch1.diff.gz
  to pool/main/v/vnc4/vnc4_4.1.1+X4.3.0-21+etch1.diff.gz
vnc4_4.1.1+X4.3.0-21+etch1.dsc
  to pool/main/v/vnc4/vnc4_4.1.1+X4.3.0-21+etch1.dsc
vnc4server_4.1.1+X4.3.0-21+etch1_i386.deb
  to pool/main/v/vnc4/vnc4server_4.1.1+X4.3.0-21+etch1_i386.deb
xvnc4viewer_4.1.1+X4.3.0-21+etch1_i386.deb
  to pool/main/v/vnc4/xvnc4viewer_4.1.1+X4.3.0-21+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513531@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated vnc4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 30 Jan 2009 19:09:27 +0000
Source: vnc4
Binary: vnc4-common vnc4server xvnc4viewer
Architecture: source i386
Version: 4.1.1+X4.3.0-21+etch1
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 vnc4-common - Virtual network computing server software
 vnc4server - Virtual network computing server software
 xvnc4viewer - Virtual network computing client software for X
Closes: 513531
Changes: 
 vnc4 (4.1.1+X4.3.0-21+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix arbitrary code execution via crafted RFB protocol data
     (Closes: #513531)
     Fixes: CVE-2008-4770
Files: 
 0d0f0e7f58c6440481b8bfa83af8cd63 696 x11 optional vnc4_4.1.1+X4.3.0-21+etch1.dsc
 b28c43385fe574d612ddbd0b645082f7 31536534 x11 optional vnc4_4.1.1+X4.3.0.orig.tar.gz
 55c92400d7949023c3488dcec680d613 50904 x11 optional vnc4_4.1.1+X4.3.0-21+etch1.diff.gz
 a1e67da97e85e0ca290e3644b551c686 2015342 x11 optional vnc4server_4.1.1+X4.3.0-21+etch1_i386.deb
 9cedf57dd52455c76332f585f6c52dc8 147628 net optional xvnc4viewer_4.1.1+X4.3.0-21+etch1_i386.deb
 27cf156a68540519f9efd4b81fd51dff 18640 x11 optional vnc4-common_4.1.1+X4.3.0-21+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmDgXMACgkQ62zWxYk/rQc9RwCfWmEkYOwlTTqsjqFXkaVp3gge
HvUAoLsx2j6gSktmnafxfolx73leqoDX
=+/6F
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Thu, 09 Apr 2009 17:24:05 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Thu, 09 Apr 2009 17:24:05 GMT) Full text and rfc822 format available.

Message #25 received at 513531-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 513531-close@bugs.debian.org
Subject: Bug#513531: fixed in vnc4 4.1.1+X4.3.0-21+etch1
Date: Thu, 09 Apr 2009 17:12:46 +0000
Source: vnc4
Source-Version: 4.1.1+X4.3.0-21+etch1

We believe that the bug you reported is fixed in the latest version of
vnc4, which is due to be installed in the Debian FTP archive:

vnc4-common_4.1.1+X4.3.0-21+etch1_i386.deb
  to pool/main/v/vnc4/vnc4-common_4.1.1+X4.3.0-21+etch1_i386.deb
vnc4_4.1.1+X4.3.0-21+etch1.diff.gz
  to pool/main/v/vnc4/vnc4_4.1.1+X4.3.0-21+etch1.diff.gz
vnc4_4.1.1+X4.3.0-21+etch1.dsc
  to pool/main/v/vnc4/vnc4_4.1.1+X4.3.0-21+etch1.dsc
vnc4server_4.1.1+X4.3.0-21+etch1_i386.deb
  to pool/main/v/vnc4/vnc4server_4.1.1+X4.3.0-21+etch1_i386.deb
xvnc4viewer_4.1.1+X4.3.0-21+etch1_i386.deb
  to pool/main/v/vnc4/xvnc4viewer_4.1.1+X4.3.0-21+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 513531@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated vnc4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 30 Jan 2009 19:09:27 +0000
Source: vnc4
Binary: vnc4-common vnc4server xvnc4viewer
Architecture: source i386
Version: 4.1.1+X4.3.0-21+etch1
Distribution: stable-security
Urgency: high
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 vnc4-common - Virtual network computing server software
 vnc4server - Virtual network computing server software
 xvnc4viewer - Virtual network computing client software for X
Closes: 513531
Changes: 
 vnc4 (4.1.1+X4.3.0-21+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix arbitrary code execution via crafted RFB protocol data
     (Closes: #513531)
     Fixes: CVE-2008-4770
Files: 
 0d0f0e7f58c6440481b8bfa83af8cd63 696 x11 optional vnc4_4.1.1+X4.3.0-21+etch1.dsc
 b28c43385fe574d612ddbd0b645082f7 31536534 x11 optional vnc4_4.1.1+X4.3.0.orig.tar.gz
 55c92400d7949023c3488dcec680d613 50904 x11 optional vnc4_4.1.1+X4.3.0-21+etch1.diff.gz
 a1e67da97e85e0ca290e3644b551c686 2015342 x11 optional vnc4server_4.1.1+X4.3.0-21+etch1_i386.deb
 9cedf57dd52455c76332f585f6c52dc8 147628 net optional xvnc4viewer_4.1.1+X4.3.0-21+etch1_i386.deb
 27cf156a68540519f9efd4b81fd51dff 18640 x11 optional vnc4-common_4.1.1+X4.3.0-21+etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmDgXMACgkQ62zWxYk/rQc9RwCfWmEkYOwlTTqsjqFXkaVp3gge
HvUAoLsx2j6gSktmnafxfolx73leqoDX
=+/6F
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 08 May 2009 07:28:10 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:06:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.